On Juniper SRX Firewall disable SIP ALG within firewall policy

In previous post I mentioned how can SIP ALG be of benefit on Juniper SRX firewalls. But in some cases where phone clients do not support RFC 3581 and SIP ALG is enabled, SRX firewall will drop the traffic. When SIP ALG is enabled, it is applied globally. Basically it is on or off for “whole” firewall.

In this example Private PBX is located in LAN A subnet and phone clients are located in LAN B subnet. SIP ALG is enabled on SRX firewall and it is used for communication between Provider PBX and Private PBX.

For the communication between phone clients and Private PBX, SIP ALG is disabled within firewall policy.


[edit applications]
set application DisableSIP_ALG term t1 alg ignore
set application DisableSIP_ALG term t1 protocol udp

[edit security]
set zones security-zone LAN-A address-book address PrivatePBX

[edit security]
set zones security-zone LAN-B address-book address LAN-B-NET

[edit security policies from-zone LAN-A to-zone LAN-B]
set policy PBX-to-LAN-B-DisableSIPALG match source-address PrivatePBX
set policy PBX-to-LAN-B-DisableSIPALG match destination-address LAN-B-NET
set policy PBX-to-LAN-B-DisableSIPALG match application DisableSIP_ALG
set policy PBX-to-LAN-B-DisableSIPALG then permit

[edit security policies from-zone LAN-B to-zone LAN-A]
set policy LAN-B-to-PBX-DisableSIPALG match source-address LAN-B-NET
set policy LAN-B-to-PBX-DisableSIPALG match destination-address PrivatePBX
set policy LAN-B-to-PBX-DisableSIPALG match application DisableSIP_ALG
set policy LAN-B-to-PBX-DisableSIPALG then permit


Permit SIP traffic through Juniper SRX with the help of SIP ALG

Have you ever wondered how to allow traffic from providers PBX to your PBX without creating additional firewall policy with dynamic port ranges for RTP stream?

Well here comes SIP ALG into play. SIP ALG recognizes SIP traffic and opens pinhole into firewall to allow RTP stream from one PBX to another for the duration of the session/call. There is no need for additional firewall policy for RTP stream if the SIP ALG is used.

This kind of setup will work only if both PBX-es have support for RFC 3581.

On Juniper SRX firewalls SIP ALG is enabled by default. To check SIP ALG status, enter command “show security alg status”.

SIP ALG Status

In this example additional IP address was provided from ISP and it is assigned a static NAT mapping to IP address IP address will be used for SIP and RTP traffic.

SIP firewall diagram

[edit security nat static]
set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address
set rule-set rs1 rule r1 then static-nat prefix

[edit security nat]
set proxy-arp interface ge-0/0/0.0 address
[edit security]
set zones security-zone trust address-book address LocalPBX
[edit security]
set zones security-zone untrust address-book address ProviderPBX
[edit security policies from-zone untrust to-zone trust]
set policy PBX-Access-SIP match source-address ProviderPBX destination-address LocalPBX application junos-sip
set policy PBX-Access-SIP then permit